ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Options to grant access to all MQ objects

Post new topic  Reply to topic
 Options to grant access to all MQ objects « View previous topic :: View next topic » 
Author Message
ammx
PostPosted: Thu Dec 21, 2017 11:07 am    Post subject: Options to grant access to all MQ objects Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

Hi

When you want to grant all access to all MQ objects under a queue manager, which is the best option, to add the user to the mq group and then use the following comand

setmqaut -m QMgrName -n '**' -t queue -g GroupName +alladm

or to use the -p option like this:

setmqaut -m QMgrName -n '**' -t queue -p Username +alladm

Thanks in advance
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Dec 21, 2017 1:07 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Any user within the mqm group automatically has god rights to MQ resources, so setting any authorities for that user is pointless.

That said, DON'T EVER, EVER, ADD USERS TO THE mqm GROUP! On UNIX (depending on version and security model) DON'T EVER, EVER, USE A PRINCIPAL NAME WHEN SETTING AUTHORITIES!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Dec 21, 2017 1:11 pm    Post subject: Re: Options to grant access to MQ objects Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

ammx wrote:
Hi

When you want to grant all access to all MQ objects under a queue manager, which is the best option, to add the user to the mq group and then use the following comand

setmqaut -m QMgrName -n '**' -t queue -g GroupName +alladm

or to use the -p option like this:

setmqaut -m QMgrName -n '**' -t queue -p Username +alladm

Thanks in advance


No, no, no, no, NO!

Do not add anyone to the the mqm administrative group who isn't an administrator. Members of the mq admin group have ALL privilege - without restriction.

Why do you want to grant all to anyone? An auditor? A programmer?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
ammx
PostPosted: Thu Dec 21, 2017 2:18 pm    Post subject: Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

Yes, i wanted to grant access for a single user to all of the MQ objects of a queue manager and wasn't sure if the -p Username parameter of the setmqaut was the correct one
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Dec 21, 2017 3:31 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

The mqm admin group also grants access to control commands, like crtmqm (create a qmgr), strmqm (start qmgr), endmqm (stop a qmgr), dltmqm (delete qmgr), and other dangerous commands.

Why are you doing this? Did management approve? The auditors? Who (job description) wants this privilege?

As my esteemed colleague noted, there is no need to grant (or deny) permissions to a member of the mqm admin group - all permissions are granted to mqm members (group and principal). You cannot take away any permissions from an mqm group/principal.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Dec 22, 2017 10:13 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

The OP never mentioned the mqm group.

As of MQ version 8 it is possible to safely grant a principle MQ authorities without it cascading up to the principle's primary group and thus all members of that group.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Dec 22, 2017 10:33 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

PeterPotkay wrote:
The OP never mentioned the mqm group.

True, but the OP did mention the mq group so my assumption was that the mqm group was meant.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
ammx
PostPosted: Fri Dec 22, 2017 2:35 pm    Post subject: Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

Hi

I am the system administrator of the server and I got the request to create the new user, I don't know which is the role of the person who requested this, but management has already approved.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Dec 22, 2017 6:19 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

I believe strongly that the primary responsibility of a sysadmin is to protect the organization from the ignorance of management.

Ask management why this person needs all access. Will read-only access suffice? Is this person MQ admin trained?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Options to grant access to all MQ objects
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.